jerry xu wrote:
>> I just want to forbid people running any of their own program at each
> node. They are only allowed to submit job through the batch system
> (OpenPBS).
You can use PAM to prevent logins into your nodes for most users. Just
modify /etc/pam.d/rlogin to include the line
auth requisite /lib/security/pam_localuser.so file=/etc/loginusers
immediately after the pam_nologin.so entry, and copy the /etc/passwd
entries for authorized rlogin users (usually only root) to
/etc/loginusers on your nodes. Any user not in /etc/loginusers will be
denied rlogin, although they will still be able to rexec.
This won't work for /etc/pam.d/rexec because PBS normally needs rexec to
start permissible jobs. A crude tool to at least encourage PBS use is
a cron job to kill regular users' non-PBS jobs, e.g. hourly or even more
often. A PBS job will have PBS environment variables defined.
On my old cluster, we were satisfied with the above two measures, since
inadvertent rlogin was our only real problem.
Finally, perhaps someone has written a PAM module that restricts normal
users' node access to PBS jobs only.
Sincerely,
Josip